Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08/03/2024, 00:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ba0600902b59d617ad9b3d07a54ecfbe.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
ba0600902b59d617ad9b3d07a54ecfbe.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
ba0600902b59d617ad9b3d07a54ecfbe.exe
-
Size
4.5MB
-
MD5
ba0600902b59d617ad9b3d07a54ecfbe
-
SHA1
e2d08fabfcdbfb382f5f3cbe6e3f113644a2253b
-
SHA256
c60dcd961d8fce08b61af71d45aafb6a0f2ca35397e006e8ef5024dc8d1e2692
-
SHA512
d33e84d326c38d875745c3e2a5308bfa286a41cfc11bfc093f6874843afd24246c39ed84d28065edb2fa7b89ceedcc170a10a08ca5eb237add176e88bc54a01b
-
SSDEEP
49152:wVRVONInHx/4MnYYJ2ZhqSGLHkJEMaBMO+YrovpU/91OhKPgssSt2gDlYvoGxUSV:wVRVONxIDQjOgkOhv7SttsRXB
Score
7/10
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" ba0600902b59d617ad9b3d07a54ecfbe.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf ba0600902b59d617ad9b3d07a54ecfbe.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\waitfor.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\autoconv.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\ipconfig.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\sethc.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesPerformance.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\gpresult.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\logman.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\mshta.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\mtstocom.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\CertEnrollCtrl.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\clip.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\dfrgui.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\eudcedit.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\raserver.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\sc.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\unlodctr.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\DeviceProperties.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\expand.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\nslookup.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\resmon.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\dllhst3g.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\drvinst.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\RMActivate_isv.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\sfc.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\InfDefaultInstall.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\winrshost.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\reg.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\cmstp.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\mountvol.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\msiexec.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\ReAgentc.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\regedit.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\SecEdit.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\autofmt.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\chkntfs.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\cscript.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\rasautou.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\logagent.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\RpcPing.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\wiaacmgr.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\WPDShextAutoplay.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\net.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\rasphone.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\RMActivate_ssp.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\sbunattend.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\IME\IMESC5\IMSCPROP.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\wbem\WmiPrvSE.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\bootcfg.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\instnm.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\InstallShield\setup.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\AtBroker.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\SetIEInstalledDate.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\wimserv.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\rrinstaller.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\com\comrepl.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\print.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\rdrleakdiag.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\RMActivate.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\bitsadmin.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\HOSTNAME.EXE ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\typeperf.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\cmdl32.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\SysWOW64\ddodiag.exe ba0600902b59d617ad9b3d07a54ecfbe.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File created C:\Program Files\Java\jre7\bin\jabswitch.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE$ ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe$ ba0600902b59d617ad9b3d07a54ecfbe.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe$ ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE ba0600902b59d617ad9b3d07a54ecfbe.exe File created C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe$ ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe$ ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe$ ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE$ ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe$ ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe$ ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe$ ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe$ ba0600902b59d617ad9b3d07a54ecfbe.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE$ ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE ba0600902b59d617ad9b3d07a54ecfbe.exe File created C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe$ ba0600902b59d617ad9b3d07a54ecfbe.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File created C:\Program Files\Mozilla Firefox\firefox.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe$ ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe$ ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File created C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe$ ba0600902b59d617ad9b3d07a54ecfbe.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File created C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe$ ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files\Windows Media Player\wmlaunch.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe$ ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe$ ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE$ ba0600902b59d617ad9b3d07a54ecfbe.exe File created C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files (x86)\Windows Media Player\WMPDMC.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe$ ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe$ ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE$ ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE$ ba0600902b59d617ad9b3d07a54ecfbe.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.1.7601.17514_none_736d5be520319b24\tzupd.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\amd64_netfx35linq-addinutil_31bf3856ad364e35_6.1.7601.17514_none_29443e96f9fb6564\AddInUtil.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17514_none_04709031736ac277_lsass.exe_682060de ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_6.1.7601.17514_none_42ee5aff60183c81_iscsicli.exe_20e14d4f ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..mes-spidersolitaire_31bf3856ad364e35_6.1.7600.16385_none_dead260d8f002b73\SpiderSolitaire.exe$ ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-w..for-management-core_31bf3856ad364e35_6.1.7601.17514_none_288b7acec3a75696\wsmprovhost.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\amd64_aspnet_regsql_b03f5f7f11d50a3a_6.1.7600.16385_none_dcb42ec76404494f\aspnet_regsql.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.17514_none_b57215bac8c6d647\appidpolicyconverter.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-ehprivjob_31bf3856ad364e35_6.1.7601.17514_none_53393627486ae37b\ehprivjob.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_6.1.7600.16385_none_ad5854ca0a23343d\mount.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe$ ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe$ ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-eudcedit_31bf3856ad364e35_6.1.7601.17514_none_b7be8a14d61db17a\eudcedit.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-wab-app_31bf3856ad364e35_6.1.7601.17514_none_a0cf62efee3228a3\wabmig.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\msil_ieexec_b03f5f7f11d50a3a_6.1.7600.16385_none_53678ee8c3f93f6b\IEExec.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-wpd-shellextension_31bf3856ad364e35_6.1.7601.17514_none_6f4ef219dd693ca6\WPDShextAutoplay.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\Narrator\4cc02fad33053737088d4c18267ca0a0\Narrator.ni.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost\e88db1688b08fbb889b0b9d4b1a51493\SMSvcHost.ni.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.1.7601.17514_none_698fc88e65b943d6\wmplayer.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_6d6b3cfb6a5a1e5a\ndadmin.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-csrss_31bf3856ad364e35_6.1.7600.16385_none_b4d8d57efdc6b4f3_csrss.exe_06529458 ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\assembly\GAC_MSIL\loadmxf\6.1.0.0__31bf3856ad364e35\loadmxf.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe$ ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\amd64_caspol_b03f5f7f11d50a3a_6.1.7601.17514_none_f885d1129806720d\CasPol.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-com-surrogate_31bf3856ad364e35_6.1.7600.16385_none_a018e05d0d33081d\dllhost.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\IMEPADSV.EXE ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\amd64_brmfcmf.inf_31bf3856ad364e35_6.1.7600.16385_none_6f8740b92fea8e01\BrmfRsmg.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\wow64_windowssearchengine_31bf3856ad364e35_7.0.7601.17514_none_dbd4d2796675bc72\SearchFilterHost.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_6.1.7601.17514_none_092d6b9141f16aca_winmgmt.exe_8f8eb7b1 ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-icm-ui_31bf3856ad364e35_6.1.7600.16385_none_a0a25363eee12f40\colorcpl.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe$ ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17514_none_4008824c98f8edac\dnscacheugc.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-telnet-server-tlntsvr_31bf3856ad364e35_6.1.7600.16385_none_1ab997fb0a83afdd\tlntsvr.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\qappsrv.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_6.1.7601.17514_none_5ffc161221c1b4f6\rdpclip.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\x86_installutil_b03f5f7f11d50a3a_6.1.7601.17514_none_4fd3f543ddc446fa\InstallUtil.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-efs-rekeywiz_31bf3856ad364e35_6.1.7600.16385_none_63df9c242588e5fc\rekeywiz.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_6.1.7601.17514_none_38a043f2b45f9ad2\msconfig.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-security-secedit_31bf3856ad364e35_6.1.7600.16385_none_0adc1fc1cb6f944b\SecEdit.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.1.7601.17514_none_e3fb573520033bfa\autochk.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File created C:\Windows\assembly\GAC_MSIL\Narrator\6.1.0.0__31bf3856ad364e35\Narrator.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.1.7601.17514_none_ce2d22115368db7a\WerFault.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-ieetwcollector_31bf3856ad364e35_11.2.9600.16428_none_a56da9e617d4f97e\ieetwcollector.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..mes-spidersolitaire_31bf3856ad364e35_6.1.7600.16385_none_dead260d8f002b73\SpiderSolitaire.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-winrsplugins_31bf3856ad364e35_6.1.7600.16385_none_722b680e4b585656\winrs.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-legacyhwui_31bf3856ad364e35_6.1.7600.16385_none_3e69140a61f1eff5_hdwwiz.exe_b6a1c2df ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\msil_addinutil_b77a5c561934e089_6.1.7601.17514_none_1a816bc7556b71eb\AddInUtil.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File created C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\ehome\ehrec.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..inboxgames-checkers_31bf3856ad364e35_6.1.7601.17514_none_d467c138cbce0b24\chkrzm.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..l-inboxgames-hearts_31bf3856ad364e35_6.1.7600.16385_none_4ffeefd67d89d45b\Hearts.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-security-vault_31bf3856ad364e35_6.1.7600.16385_none_4d5e025e54ba15f8\VaultCmd.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe$ ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\mcupdate\f30beba36940b5a2b55a32ea7f42d694\mcupdate.ni.exe$ ba0600902b59d617ad9b3d07a54ecfbe.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\2bd538d545e15452202ef3b41080e2ce\ComSvcConfig.ni.exe ba0600902b59d617ad9b3d07a54ecfbe.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-chkdsk_31bf3856ad364e35_6.1.7600.16385_none_1ddb4b87a6618437\chkdsk.exe ba0600902b59d617ad9b3d07a54ecfbe.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf ba0600902b59d617ad9b3d07a54ecfbe.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1584 ba0600902b59d617ad9b3d07a54ecfbe.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba0600902b59d617ad9b3d07a54ecfbe.exe"C:\Users\Admin\AppData\Local\Temp\ba0600902b59d617ad9b3d07a54ecfbe.exe"1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:1584
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.5MB
MD5ba0600902b59d617ad9b3d07a54ecfbe
SHA1e2d08fabfcdbfb382f5f3cbe6e3f113644a2253b
SHA256c60dcd961d8fce08b61af71d45aafb6a0f2ca35397e006e8ef5024dc8d1e2692
SHA512d33e84d326c38d875745c3e2a5308bfa286a41cfc11bfc093f6874843afd24246c39ed84d28065edb2fa7b89ceedcc170a10a08ca5eb237add176e88bc54a01b